Not disinfecting Worm.Win32.AutoIt.u

Discussion in 'ESET NOD32 Antivirus' started by penjoseph, Feb 28, 2008.

Thread Status:
Not open for further replies.
  1. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26
    One of our Laptops was infected by a virus from USB pen drive

    There is an exe running called KHATARNAK.exe. The Virus signature shows as Worm.Win32.AutoIt.u

    The registry editor is disabled,
    Internet explorer & firefox browsers infected with messages,
    Folder options from Windows explorer disabled
    Task Manager is disabled

    A whole lot of exes are created: eg
    Songs.exe, New Folder.exe, Jokes.exe, Files.exe, Program Files.exe, windows.exe, etc


    NOD32 tried to quarantine the exe, but failed to detect & remove the virus.


    We uninstalled NOD32 & installed Kaspersky which immediately detected the virus & removed it.
     
  2. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The point is the trojan is detected. It sounds like you managed to run it before NOD32 quarantined it (e.g. you installed NOD32 after your computer got infected, or you hadn't kept the signature database up to date, or had the real-time protection disabled).

    I don't think there is an antivirus that reverses registry changes as it might reverse changes intentionally made by an administrator. There are hints on the web as how to enable certain system features in the registry.
     
  4. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Kav/Kis alert you (if you set it) of any change in the registry an ask for your permision to allow it or not.
     
  5. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    I think that's because of KAV's PDM (behavioral heuristic? or HIPS?).

    thanatos
     
  6. wiak

    wiak Registered Member

    Joined:
    Sep 10, 2006
    Posts:
    107
    you know the drill, reboot into safe mode and run NOD32 :ninja:
     
  7. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26
    We have a 100 user license bought 1 1/2 years back when NOD32 was becoming popular. We switched from Norman which we having for 4 years to NOD32

    The Laptop was a fresh Windows XP install (one month back since Hard disk was replaced) with NOD32 v3 regularly updated from local Anti-virus update Server.


    Real-time protection was enabled. Meaning NOD32 was installed & configured prior to the system getting infected.

    The user had administrative privileges.

    NOD32, 'I repeat' failed to disinfect the Laptop. It tries to quarantine the exes created like songs.exe, new folder.exe, etc but again the exes are created, failing to remove the root infection.


    After searching the internet for good Anti-virus', Kaspersky caught my attention for high detection & disinfection rates. So I thought I will give it a try.

    Kaspersky was installed after the system was infected by uninstalling NOD32.


    Kaspersky 'I repeat' disinfected the system even after installing after the Laptop was infected.


    Yes I am know of editing the registry & modifying through scripts. Also using 'Group Policy Editor' gpedit.msc - but would be tedious job editing infected systems. For the above mentioned laptop, Kaspersky only removed the infection. I enabled 'folder options', task Manager through group policy settings


    Joseph Eapen
     
    Last edited: Feb 29, 2008
  8. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26

    Yes I am thorough with the drill, maintaining both Windows & Linux systems for 10 years.

    Let me repeat, even in Windows 'safe mode' NOD32 DOES NOT remove the root infection. The exes appear back after the Laptop is re-booted !


    So how many times should I go through the drill again Sargent ? :blink:
     
    Last edited: Feb 29, 2008
  9. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    it remind me a day when i was infected by this trojan
    this trojan only came using usb flash drives
     
Thread Status:
Not open for further replies.